Cyber security

SQLRecon – Comprehensive Guide To SQL Server Exploitation And Defense

SQLRecon is a Microsoft SQL Server toolkit that is designed for offensive reconnaissance and post-exploitation.

For detailed information on how to use each technique, refer to the wiki.

You can download a copy of SQLRecon from the releases page. Alternatively, feel free to compile the solution yourself.

This should be as straight forward as cloning the repo, double clicking the solution file and building.

Prevention, detection and mitigation guidance has also been provided for all you defenders out there.

Check out my blog post on the IBM Security Intelligence website. If you prefer videos, then check out my presentation at Black Hat.

Enumeration Modules

Enumeration Modules do not require an authentication provider to be supplied. These modules must be passed into the enumeration module flag (/e:, /enum:).

Info    - Show information about the SQL server.
          /h:, /host    -> SQL server hostname or IP. Multiple hosts supported.
          /port:        -> (OPTIONAL) Defaults to 1434 (UDP).
          /t:, timeout: -> (OPTIONAL) Defaults to 3s.

SqlSpns - Use the current user token to enumerate the AD domain for MSSQL SPNs.
          /d:, /domain: -> (OPTIONAL) NETBIOS name or FQDN of domain.

Authentication Providers

SQLRecon supports a diverse set of authentication providers (/a:, /auth:) to enable interacting with a Microsoft SQL Server.

WinToken   - Use the current users token to authenticate against the SQL database
             /h:, /host:     -> SQL server hostname or IP

WinDomain  - Use AD credentials to authenticate against the SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /d:, /domain:   -> NETBIOS name or FQDN of domain.
             /u:, /username: -> Username for domain user.
             /p:, /password: -> Password for domain user.

Local      - Use local SQL credentials to authenticate against the SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /u:, /username: -> Username for local SQL user.
             /p:, /password: -> Password for local SQL user.

EntraID    - Use Azure EntraID credentials to authenticate against the Azure SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /d:, /domain:   -> FQDN of domain (DOMAIN.COM).
             /u:, /username: -> Username for domain user.
             /p:, /password: -> Password for domain user.

AzureLocal - Use local SQL credentials to authenticate against the Azure SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /u:, /username: -> Username for local SQL user.
             /p:, /password: -> Password for local SQL user.

Authentication Providers – Additional Details

  • Hosts: The host flag (/h:, host:) is required and allows one or more SQL servers. If you want to execute a module against multiple SQL servers, separate the hosts with a comma, for example /h:SQL01,10.10.10.2,SQL03.
  • Database: SQLRecon connects to the master database by default, however, this can be optionally changed by supplying a custom database name via the database (/database:) flag.
  • Debug: The /debug flag is optional and displays all SQL queries that are executed by a module, without actually executing them on the remote host(s). An example of this can be found in the wiki.
  • Port: In some cases, a Microsoft SQL Server may not be listening on a standard TCP port. Some examples are Microsoft SQL Server failover clustering, or dynamic TCP ports. SQLRecon connects to databases via TCP Port 1433 by default, however, this can be optionally changed using the /port: flag.
  • Timeout: The default SQL database connection time is 3 seconds, however, this value can be optionally changed by supplying a timeout value (/t:, /timeout:) which corresponds to the number of seconds before terminating the connection attempt.
  • Verbose: The /v, /verbose flag is optional and displays all SQL queries that are executed by a module before executing them on the remote host(s). An example of this can be found in the wiki.

Please note that the EntraID authentication provider requires that the Azure Active Directory Authentication Library (ADAL) or Microsoft Authentication Library (MSAL) exists on the system SQLRecon is executed from.

This is for Azure EntraID authentication and authorization functionality.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Promptmap

Prompt injection is a type of security vulnerability that can be exploited to control the…

2 days ago

Firefly – Black Box Fuzzer For Web Applications

Firefly is an advanced black-box fuzzer and not just a standard asset discovery tool. Firefly…

2 days ago

Winit : Cross-Platform Window Creation And Management In Rust

Winit is a robust, cross-platform library designed for creating and managing windows in Rust applications.…

2 days ago

Browser Autofill Phishing – The Hidden Dangers And Security Risks

In today’s digital age, convenience often comes at the cost of security. One such overlooked…

2 days ago

Terminal GPT (tgpt) – Your Direct CLI Gateway To ChatGPT 3.5

Terminal GPT (tgpt) offers a seamless way to bring the power of ChatGPT 3.5 directly…

2 days ago

garak, LLM Vulnerability Scanner : The Comprehensive Tool For Assessing Language Model Security

garak checks if an LLM can be made to fail in a way we don't…

5 days ago